1:42 am

Thu January 23, 2014

Target Hack A Tipping Point In Moving Away From Magnetic Stripes

A cryptographic chip embedded in a British debit card. America is nearly alone in still relying on magnetic stripes to authenticate purchases.

Christopher FurlongGetty Images

The credit and debit card data breaches at Target and Neiman Marcus compromised more than 70 million American consumers, and analysts say even more of us are at risk. That's because the technology we use to swipe for our purchases — magnetic stripes on the backs of cards — isn't hard for a skilled fraudster to hack.

"It's totally unprotected and it's static, so it's the same data that's read every single time. It's just about the worst security that you can put into a payment system," says Avivah Litan, a security analyst for Gartner, a firm retailers hire to assess their cybersecurity gaps.

Sophisticated cyberthieves got consumer data during the holiday season breaches by injecting a virus into Target's card payment terminals. From there, the bad guys systematically captured the information found on every card swiped, from Thanksgiving through just before Christmas.

"We've seen hacks as big as this before, in fact we've seen bigger, but what we haven't seen before is something this sophisticated and well-organized," Litan says. The data from the cards were turned around and sold on an underground market, where thieves can re-create credit cards using the stolen data and use them to make fraudulent purchases, she says.

Industry leaders know magnetic stripes are outdated and easily exploitable. The rest of the world moved on to a more secure, harder-to-hack payment system based on chip-enabled cards — chip and PIN. Chip-enabled cards are more secure because the data on the chip are hidden behind encryption. So even if criminals intercept what's on it, they can't reuse it.

"It's standardized all over the world and used all over the world, except in the U.S. and perhaps one country in Africa," Litan says.

"Basically my American credit card is like a second-class citizen here," Shapiro says. "I can't use the self-checkout line at the supermarket; I can't use the automated machine in the subway system or the post office. Some merchants charge me an extra charge just because of my American credit card."

Shapiro's new British pal, Ben Thompson, explains how he pays for purchases without swiping — or signing.

"I put the card in the machine. The retailer, the cashier will hand me a little key pad, I type in my [PIN]. And that verifies the transaction. It means I don't have to sign, I don't have to use a pen. I literally type in four little numbers," Thompson says.

As of last May, Visa says it issued at least 3.5 million chip cards in the U.S., and it aims to get the majority of U.S. consumers on chip-based cards by 2015. But changing over all those cards and card readers costs a lot of money, which is part of the reason it hasn't happened sooner.

"You have to upgrade all the terminals that are out there that are used by the merchants; you have to upgrade all the ATM machines; you have to issue new cards to consumers. So it's a lengthy process," says Litan, who estimates that even if a concerted effort to change to chip and PIN started today, it wouldn't be standard in the U.S. for at least three more years.

Interestingly, The Wall Street Journal reports that Target actually tried to collaborate with Visa 10 years ago, to use chip cards in 1,000 stores. But executives shelved the effort over worries that chip-based cards slowed down checkout speeds.

"It's gonna take time. It's going to be extraordinarily expensive. But it's something we must do," says Mallory Duncan, the general counsel at the National Retail Federation. "What the recent breaches have done is shone a spotlight on it and now I think all of the players are recognizing that changes have to be made."

He says retailers will adjust, because the cost of more major data breaches is too great.

"If you start bringing out the new PIN and chip cards, then retailers will begin to reconfigure their point of sale equipment to accept those cards," Duncan says.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.

Transcript

STEVE INSKEEP, HOST:

It's MORNING EDITION from NPR News. I'm Steve Inskeep.

RENEE MONTAGNE, HOST:

And I'm Renee Montagne. Good morning.

Major data breaches at Target and Neiman Marcus have compromised the personal information of at least 70 million Americans. Analysts say even more consumers are at risk because the card-swiping technology Americans use is not hard to hack.

And as NPR's Elise Hu explains, a more secure payment method is already up and running in other countries, forcing the U.S. to play-catch up.

ELISE HU, BYLINE: Sophisticated cyber-thieves got so much consumer data by injecting a virus into Target's card payment terminals. From there, the bad guys systematically captured the information found on every card swiped, from Thanksgiving through just before Christmas.

AVIVAH LITAN: We've seen hacks as big as this before - in fact bigger. But what we haven't seen is something this sophisticated and well organized.

HU: Avivah Litan is a security analyst for Gartner, which retailers hire to assess their cyber security gaps. She says the magnetic stripes on the backs of our cards, which carry our data, are way too easy to exploit.

LITAN: It's totally unprotected and it's static, so it's the same data that's read every single time. It's just about the worst security you can put into a payment system.

HU: And you don't have to travel into the future to find a more secure, harder-to-hack payment system. You just have to leave the United States.

(SOUNDBITE OF DIAL TONES)

HU: So I called up a friend that you and I know well who just moved across the Atlantic.

(SOUNDBITE OF RINGING PHONE)

HU: Ari Shapiro is NPR's new London correspondent. When he left D.C., he took with him his American-issued credit cards - the ones with those magnetic stripes.

ARI SHAPIRO, BYLINE: I can't use the self check-out line at the supermarket. I can't use the automated machines in the subway system or the post office. Some merchants charge me an extra charge just because of my American credit card.

HU: That's because, as Litan explains, magnetic stripes are so outdated that most other countries have moved beyond it. They use cards with tiny gold or silver chips embedded on them that payment terminals can read. In Europe and elsewhere, it's called the chip and PIN system.

LITAN: It's standardized all over the world and used all over the world, except in the U.S. and perhaps one country in Africa.

HU: Chip-enabled cards are more secure because the data on the chips is hidden behind encryption. So even if criminals intercept what's on it, they can't re-use it. Ari's new British pal, Ben Thompson, explains how he pays for purchases without swiping or signing.

BEN THOMPSON: I put the card in the machine. The retailer - the cashier will hand me a little key pad. I'll type in my number and that verifies the transaction. It means I don't have to sign, don't have to use a pen. I literally type in four little numbers.

HU: Visa aims to get the majority of U.S. consumers on chip-based cards by 2015. But changing over all those cards and card readers costs a lot of money, which is part of the reason why it hasn't happened sooner.

Again, Avivah Litan.

LITAN: You have to upgrade all the terminals that are out there that are used by the merchants. You have to upgrade all the ATM machines. You have to issue new cards to consumers. So it's a lengthy process.

HU: Interestingly, Target actually tried to collaborate with Visa 10 years ago to use chip-cards in 1,000 stores. But executives shelved the effort over worries that chip-based cards slowed down checkout speeds.

MALLORY DUNCAN: It's going to take time. And it's going to be extraordinarily expensive. But it's going to be something we must do.

HU: That's Mallory Duncan of the National Retail Federation. He says fallout from the big breach is creating consensus around making chip and PIN the American standard sooner.

DUNCAN: If you start bringing out the new PIN and chip cards, then retailers will begin to reconfigure their point of sale equipment to accept those cards. Eventually everyone's going to have to make this change.

HU: The change will take at least a few years. So until mag-stripes go away, watch your credit card statements closely. And if you're moving or even traveling overseas, you can do as Ari did.

SHAPIRO: Well, I opened a British bank account and so now I actually have a chip and PIN card.

HU: Much safer than a magnetic stripe, and they work most everywhere else in the world you want to be.